Industry in Saudi Arabia and US targeted by APT33/Elfin

Cyber-espionage group Elfin, aka APT33, has launched a heavily targeted campaign against multiple organisations in Saudi Arabia and the United States.

Cyber-espionage group Elfin, aka APT33, has launched a heavily targeted campaign against multiple organisations in Saudi Arabia and the United States.

Researchers said the most recent targets include major corporations and despite 42 percent of observed attacks focusing heavily on Saudi Arabia. The US has also been an area of interest for the group with 18 organisations, including several Fortune 500 companies, being hit over the past three years, according to a 27 March Symantec blog post.

US-based targets have been against firms in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors with some organisations being targeted for mounting supply chain attacks, researchers said in the report.

"In a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in WinRAR, the widely used file archiving and compression utility capable of creating self-extracting archive files," the report said. "The exploit was used against one target in the chemical sector in Saudi Arabia."

The threat group has deployed a wide range of tools in its custom malware toolkit including Backdoor.Notestuk (aka TURNEDUP), Trojan.Stonedrill and AutoIt backdoor. Similar to other nation state groups, APT33 looks to exploit unpatched systems.

FireEye researchers also monitored the hacking group as it sent multiple spear-phishing emails with malicious WinRAR attachments to people in the energy sector last month purportedly from senior executives Middle East oil and gas organisations, Nalani Fraser, FireEye’s senior manager of threat intelligence, told CyberScoop.

Symantec researchers described APT33 as "one of the most active groups currently operating in the Middle East" and said they have shown a "willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims."

The group has been active since 2015 or early 2016 and has been targeting compromising targets, including government organisations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms and other sectors.

In December 2018, the group was linked to a wave of Shamoon attacks, one of which infected a company Saudi Arabia that had also been attacked by Elfin, leading researchers to believe the groups were connected.

Last year, FireEye found that the Iranian threat group had been launching hacking and spear-phishing attacks against US, Saudi and South Korean aerospace and petrochemical companies.